Information Cemmissioner’s Office 


Information Commissioner's Office 


Consultation: 


Direct Marketing Code 


Start date: 8 January 2020 


End date: 4 March 2020 


ico. 


Information Cemmissioner’s Office 


Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 
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Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that 
they are an individual acting in a private capacity (eg a member of 
the public). All responses from organisations and individuals acting 
in a professional capacity (eg sole traders, academics etc) will be 
published but any personal data will be removed before publication 
(including email addresses and telephone numbers). 


For more information about what we do with personal data please 
see Our privacy notice. 
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Questions 


Q1_—siIs the draft code clear and easy to understand? 


(@) Yes 
©) No 


If no please explain why and how we could improve this: 


Q2 Does the draft code contain the right level of detail? 
(When answering please remember that the code does not 
seek to duplicate all our existing data protection and e-privacy 
guidance) 


©) Yes 
(@) No 


If no please explain what changes or improvements you would 
like to see: 


There are many references to the obligations of third parties for specific direct 
marketing activities. The draft code conveys that appropriate due diligence 
should be performed but could be enhanced by providing additional examples in 
the same format of the example boxes that are scenario based. These could 
include review of policies and procedures, and evidence of compliance to 
timelines for responding to preference management requests. The draft code 
would be used by direct marketers but will also be used by third parties to 
understand their obligations to their clients so clarifying expectations would help 
both audiences. 
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Q3 Does the draft code cover the right issues about direct 
marketing? 


©) Yes 
©) No 


If no please outline what additional areas you would like to 
see covered: 


The draft code does cover direct marketing and channel marketing expectations 
but could provide greater clarity on key concepts within direct marketing tied to 
third party relationships. Defining a third party in the glossary would distinguish 
third party entities from data processors, since both play a role in direct 
marketing compliance. Adding context and definitions of first party data, second 
party data, and third party data into the “Does the code apply to us” section 
would assist readers with understanding the nuances of those difference before 
evaluating the requirements of each type of marketing activity. 


Q4 Does the draft code address the areas of data protection and 
e-privacy that are having an impact on your organisation’s 
direct marketing practices? 


©) Yes 
(@) No 


If no please outline what additional areas you would like to 
see covered: 


Conducting due diligence in third party relationships requires an organisation to request information to assess 
specific control areas, review evidence, and may involve the testing of controls. Within the draft code, the due 
diligence focus areas are described at a high level, but do not contain examples on how to actually define and 
implement those due diligence requirements into a repeatable process. Providing examples of the types of 
artifacts that can be used to demonstrate compliance would assist both the direct marketing and the third party 
provider ensure that the right requirements have been addressed. The draft code provides sufficient examples 
of when the entity instigating the direct marketing should perform a DPIA but does not provide clarity on when a 
third party should perform a DPIA. A third party may not be in a position to share results of other DPIAs 
performed for other clients. Rather, the direct marketer would identify if their third party has a policy to define 
what triggers a DPIA for the services they are providing and provide sufficient evidence of such completion. 
Clarifying the roles and expectations of a third party for DPIAs is important, since the third party may need to 
assist the direct marketer in completion of the controllers’ DPIA. 
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Q5 Isit easy to find information in the draft code? 


©) Yes 
(@) No 


If no, please provide your suggestions on how the structure 
could be improved: 


References to the specific obligations of a third party are referenced throughout the 
guidance based on the type of direct marketing. The direct marketing entities that 
will be following this guidance will need to translate all of those references into their 
third party risk management program and create a set of due diligence standards to 
address direct marketing and on-line marketing third parties. Providing a separate 
section for third party requirements that addresses the expected governance model, 
due diligence and assurance would make it easier to find information in the draft 
code specific to third party obligations. This approach would also enable 
organisations to more easily compare requirements to Article 28 obligations. 


Q6 Do you have any examples of direct marketing in practice, 
good or bad, that you think it would be useful to include in the 
code? 


If yes, please provide your direct marketing examples: 


The draft code provides a very channel marketing centric set of frequently asked 
questions about each step in the direct marketing lifecycle. The draft code is written 
from an operational point of view on direct marketing execution. Direct marketing today 
relies on the development of predictive models that use the data attributes for 
modeling activities. Many organisations rely on third parties to define, manage and 
implement their models within systems. We have seen that conducting governance of 
the model itself is an element of due diligence that is required in the United States for 
specific products or services to ensure that the individual has not been harmed or 
treated unfairly. Providing references to guidance on this topic would useful to include. 


Q7 Do you have any other suggestions for the direct marketing 
code? 
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The draft code extends and clarifies guidance on the use and responsibilities for the 
direct marketing entity and including online advertising and new technologies. In 
marketing and selling channels, and in the digital landscape there can be a variety of 
third-party relationships that enable such activities. We would recommend adding 
clarity on roles and responsibilities for business models that include resellers, 
wholesalers, distributors which may be engaged in direct marketing. For the AdTech 
ecosystem, there are layers of third parties required to operate such environments. 
Adding clarity on expectations specific to engaging these providers and providing an 
example of appropriate terms and due diligence would be beneficial. 


ico. 


Information Cemmissioners Office 


About you 


Q8 Are you answering these questions as: 


(Please select the one that is most appropriate) 


C) An individual acting in a private capacity (eg 
someone providing their views as a member of the 
public) 


© An individual acting in a professional capacity 
@) On behalf of an organisation 


O Other 


Please specify the name of the organisation you are 
representing: 


The Shared Assessments Program. 


Shared Assessments is a global membership organisation dedicated to developing best practices, 


education and tools to drive Third Party Risk Assurance through cross-industry collective intelligence 
and thought leadership. 


If other please specify: 


Q9 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 


Other 


A SENE 


Please specify: 


a, 


Thank you for responding to this consultation. 
We value your input. 


